Methods and systems for event detection include defining a plurality of conditions that represent one or more synthetic events. Data from a plurality of data sources is aggregated across a period of time, multiple attack surfaces, and geographically distinct locations. The aggregated data is matched to the conditions to determine whether a synthetic event has occurred. A response to the synthetic event is formed to resist an attack.